On Mon, Feb 27, 2023 at 12:28:43PM -0800, Jesse Brandeburg wrote: > On 2/22/2023 5:42 PM, Jacob Keller wrote: > > The mux_chip structure size is over allocated to additionally include both > > the array of mux controllers as well as a device specific private area. > > The controllers array is then pointed to by assigning mux_chip->mux to the > > first block of extra memory, while the private area is extracted via > > mux_chip_priv() and points to the area just after the controllers. > > > > The size of the mux_chip allocation uses direct multiplication and addition > > rather than the <linux/overflow.h> helpers. In addition, the mux_chip->mux > > struct member wastes space by having to store the pointer as part of the > > structures. > > > > Convert struct mux_chip to use a flexible array member for the mux > > controller array. Use struct_size() and size_add() to compute the size of > > the structure while protecting against overflow. > > > > After converting the mux pointer, notice that two 4-byte holes remain in > > the structure layout due to the alignment requirements for the dev > > sub-structure and the ops pointer. > > > > These can be easily fixed through re-ordering the id field to the 4-byte > > hole just after the controllers member. > > Looks good to me (just a driver dev, not a mux dev!). Also added > linux-i2c mailing list and a couple others for more review. > > Reviewed-by: Jesse Brandeburg <jesse.brandeburg@xxxxxxxxx> > > related thread (cocci script) at [1] > > [1] > https://lore.kernel.org/all/20230227202428.3657443-1-jacob.e.keller@xxxxxxxxx/ *thread necromancy* Can we land this? It's the last struct_size() instance that the above Coccinelle script flags. Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> -- Kees Cook
